After a U.S. airstrike killed Islamic Revolutionary Guard Corps Quds Force General Qasem Soleimani in January, U.S. officials braced for a retaliation. A few days later it came: Iranian forces conducted a ballistic missile assault on two U.S. bases situated in Iraq, leaving more than 100 U.S. servicemembers with traumatic brain injuries.

After the strike, U.S. President Donald Trump hailed the fact that no American soldiers were killed, and he said in public remarks that “Iran appears to be standing down.” But some experts and officials say that, in terms of retaliatory actions, Iran may not be finished.

“Iran has a long history of striking when their adversaries least expect it…. We may not be out of the woods yet,” wrote former FBI Deputy Director Andrew McCabe in an op-ed article published in The Washington Post after Iran’s strike.

McCabe argued that expecting Iran to stand down after its measured attack on a military target would be tantamount to ignoring the lessons of the past because Iran has a history of conducting asymmetric attacks through proxy forces and terrorist cells. “It is those deniable, civilian-focused attacks that we should be looking for as this situation unfolds,” McCabe wrote.

And in recent years, Iran has shown it is willing to strike within U.S. borders. In 2011, for example, McCabe said the FBI learned that Soleimani’s Quds Force was directing a plot to assassinate Saudi Arabia’s ambassador to the United States by setting off a bomb inside a Washington, D.C. restaurant. The suspected bomber, a dual Iranian/U.S. citizen, was convicted in 2013 and sentenced to 25 years imprisonment.

Then in 2017, two foreign nationals were arrested in the United States and charged with several crimes committed while working as agents for Hezbollah, a Lebanon-based political organization that has been classified by the U.S. government as a terrorist group. The two agents had been recruited and sent to the United States by Hezbollah’s External Security Organization, McCabe said.

Iran’s support of Hezbollah is key when parsing possible future retaliatory attacks, says Damian Crilly, a counterterrorism expert who has worked for Her Majesty’s Government in the United Kingdom and globally and has served as a counterterrorism advisor to London’s Metropolitan Police Service.

It’s important to understand that “Iran has always done things through proxy groups” such as Hezbollah, says Crilly, who is a member of the ASIS International Global Terrorism, Political Insta­bility, and International Crime Council. “They have sleeper cells all over the world,” Crilly says. “The Iranians are used to playing the long game. They have a degree of patience.”

Given this, U.S. government officials have been spreading the word about the need for heightened security. In January, the U.S. Department of Homeland Security (DHS) issued a National Terrorism Advisory System Bulletin that expressed concern about possible retaliatory actions by Iran.

“We remain concerned that violent extremist organizations tied to the regime, including their various partner organizations, may continue to pose a general threat against American citizens and interests both overseas and in the homeland,” the DHS bulletin said.

The department also expressed concern regarding the ability of Iran’s proxies to strike within U.S. borders. “Iran and its partners, such as Hezbollah, have demonstrated their capability to conduct various operations in the United States,” DHS said.

More specifically, Homeland Sec­urity warned that Iran is capable of disrupting U.S. critical infrastructure with a cyberattack. “Based on Iran’s historic homeland and global targeting patterns, the financial services and energy sectors, maritime assets, as well as U.S. government and symbolic targets represent consistent priorities for Tehran’s malicious operational planning,” DHS said.

The department acknowledged that such attacks could be on either military targets—such as the recent attack on U.S. bases in Iraq—or private sector targets. So, the department directed private sector partners “to remain vigilant in the event of a potential Iran-directed or violent extremist Iran supporter threat to U.S.-based individuals, facilities, and networks consistent with previously observed covert surveillance and possible pre-operational activity.”

Also highlighting the threat from Iran is the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which operates under the DHS umbrella and describes itself as the nation’s risk advisor. The agency issued a CISA Insight bulletin, titled “Increased Geopolitical Tensions and Threats,” in January.

“Iran and its proxies and sympathizers have a history of leveraging cyber and physical tactics to pursue national interests, both regionally and here in the United States,” CISA wrote. “CISA strongly urges you to assess and strengthen your basic cyber and physical defenses to protect against this potential threat.”

In the bulletin’s “Things to Do” section, CISA urged private sector organizations to beef up security by adopting a state of heightened awareness and preparing a rapid response; increasing organizational vigilance through actions, such as assessing access control protocols and monitoring internal security indicators; ensuring personnel know when and how to report an incident; exercising any incident response plans; and making sure that there is an offline backup of operation-critical information.

CISA also specifically recommended supporting physical protection through several actions, including: connect with local law enforcement and other security partners in the community; plan how to respond to an attack like a bombing; train employees on security events and response, as well as educate all employees on reporting procedures and who to call in emergencies; maintain access control and visitor monitoring; and assess management of the organization’s keys, access cards, uniforms, and badges.

For organizations interested in taking a proactive approach to securing their facilities from a possible terror attack, Crilly says that following the integrated security management principles of deter, detect, delay, respond, and review can be helpful.

The first principle, deter, can be advanced by physical tools such as effective lighting and video surveillance systems, which Crilly says can discourage a potential attacker from targeting the facility. Potential attackers can be detected by an effective perimeter control system.

The third principle, delay, is key because an adversary can make it inside a facility, access classified information, and leave in less time than the average police response. Using multiple perimeter layers, like the ones used by military bases in green zones, can delay attackers long enough to maximize the likelihood of their capture. Meanwhile, the fourth principle, respond, can include making sure any planned response is robust enough to thwart an attack.

Review is necessary to evaluate how physical security can be improved. “You always want to mitigate deficiencies,” Crilly says. For example, in bombing attacks on facilities, a high percentage of casualties results not from the explosion itself, but from the shattering of nearby glass, which flies away in shards. “It comes at you like daggers,” Crilly says. A review that finds this vulnerability may lead the organization to take proactive action and protect its windows with an anti-shatter film treatment.

In the end, many experts and government officials say that Iran’s history and capabilities warrant sustained vigilance by potential targets.